Summary: | media-video/mplayer <1.0_rc2_p27725-r1 Real demuxer heap overflow (CVE-2008-3827) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | media-video | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.ocert.org/advisories/ocert-2008-013.html | ||||||
Whiteboard: | A2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 241110 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Stefan Behte (RETIRED)
2008-09-30 10:05:40 UTC
apparently this is fixed in r27675, mplayer/trunk/libmpdemux/demux_real.c Created attachment 166868 [details, diff]
The patch was released..
This was from the Maintainers
Can we get either stable an mplayer that has this and bug 231836 fixed, or apply the two patches onto our current stable? mplayer-1.0_rc2_p27725 in the tree I see that mplayer-1.0_rc2_p27725-r1 is in the tree, does https://bugs.gentoo.org/show_bug.cgi?id=241110 still need to be fixed? I'd like to get this thing into stable. Arches, please test and mark stable: =media-video/mplayer-1.0_rc2_p27725-r1 Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Arches which don't even have ~arch: "alpha ia64 ppc sparc" Apparently, there are still problems w/ sparc and alpha (according to the bug in the dependencies), can you fix them beandog (or anyone from media-video)? this needs the following packages stable on amd64/x86 (according to repoman): '>=media-video/dirac-0.10.0', 'media-libs/schroedinger', '>=media-libs/x264-0.0.20080406' (In reply to comment #7) > this needs the following packages stable on amd64/x86 (according to repoman): > '>=media-video/dirac-0.10.0', 'media-libs/schroedinger', these should be ok > '>=media-libs/x264-0.0.20080406' please check stable packages from: http://tinderbox.dev.gentoo.org/misc/rindex/media-libs/x264 against 0.0.20080819 This snapshot had been slatted just before an API change; I don't remember any specific breakage with that version, but better double check. Note that you'll need to stabilize x264-encoder of the same version at the same time. 0.0.20081006 changes a bit the API and will break a couple of stable packages. amd64/x86 stable for the following packages: =media-video/dirac-1.0.0 =media-libs/schroedinger-1.0.5 =media-libs/x264-0.0.20080819 =media-video/x264-encoder-0.0.20080819 =media-video/mplayer-1.0_rc2_p27725-r1 hppa stable ppc64 stable ppc stable Stable on alpha. Had to mask the dxr3 USE flag due to lack of hardware for testing. ia64 stable, sparc is waiting for bug 241110 Sparc stable, sorry for the hold-up :( request filed GLSA 200901-07. Thanks everyone, sorry about the delay. |